James Stephens

January 25, 2006

Iptables - What Is It?

Filed under: Iptables — James Stephens @ 8:10 am

Iptables is the firewall and packet filtering replacement for the userspace tool ipchains in the Linux 2.4 kernel and beyond. Iptables is part of the netfilter project. Iptables has many more features than ipchains and is also structured more sensibly. Points of note are as follows:

  • Connection tracking capability, via the ability to do stateful packet inspection. This works for icmp and udp as well as tcp connections. For instance, stateful icmp filtering allows you to only allow an icmp echo-reply in if an echo-request went out. This is something you couldn’t do with ipchains ……. most people would block echo-requests but blindly accept echo-replies with the assumption that they would always be in response to their own pings. Not true. Unsolicited echo-replies can be a sign of a Smurf amplification attack, a Tribe Flood Network communication between master and daemon, or a Loki2 back-door.
  • Simplified behaviour of packets negotiating the built-in chains (INPUT, OUTPUT and FORWARD). On multi-homed hosts, packets travelling between interfaces negotiate only the FORWARD chain rather than all three built-in chains as they did before (providing packet forwarding is enabled of course).
  • A clean separation of packet filtering and network address translation (NAT). This is very nice; in Ipchains masquerading was done as part of the packet-filtering, but in Iptables masquerading is treated as a particular type of source NAT (SNAT) as it should be. Redirection, in turn, is treated as a particular type of destination NAT (DNAT). SNAT is done after routing and DNAT is done before routing, which makes it easy to define your rulebase and add NAT as an afterthought.
  • Rate-limited connection and logging capability. Now you can limit both connection attempts, as in SYN-flooding attacks, and also prevent your logs being flooded, as happened in the Jolt2 fragment driven attack against Checkpoint’s Firewall-1. Another very nice feature.
  • The ability to conduct packet filtering by tcp flags and tcp options, MAC addresses, and even by time of day.

Downloads

Three example Iptables firewall rulesets are available “here”.

Recommended Reading


No Comments »

No comments yet.

RSS feed for comments on this post. TrackBack URL

Leave a comment

You must be logged in to post a comment.

Powered by WordPress